发布时间 :1999-12-19 00:00:00
修订时间 :2016-10-17 22:00:05

[原文]Groupwise web server GWWEB.EXE allows remote attackers to read arbitrary files with .htm extensions via a .. (dot dot) attack using the HELP parameter.

[CNNVD]Novell GroupWise GWWEB.EXE存在多个漏洞(CNNVD-199912-060)


- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:novell:groupwise:5.2Novell Groupwise 5.2
cpe:/a:novell:groupwise:5.5Novell Groupwise 5.5

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  19991219 Groupewise Web Interface

- 漏洞信息

Novell GroupWise GWWEB.EXE存在多个漏洞
中危 未知
1999-12-19 00:00:00 2006-09-05 00:00:00

- 公告与补丁


- 漏洞信息 (19682)

Netscape Enterprise Server ,Novell Groupwise 5.2/5.5 GWWEB.EXE Multiple Vulnerabilities (EDBID:19682)
novell remote
1999-12-19 Verified
0 Sacha Faust Bourque
N/A [点击下载]
Netscape Enterprise Server for NetWare 4/5 3.0.7 a,Novell Groupwise 5.2/5.5 GWWEB.EXE Multiple Vulnerabilities


The HELP function in GWWEB.EXE will reveal the path of the server, and combined with the '../' string, allow read access for any client to any .htm file on the server, as well as browseable directory listings.

Also, it is possible to abend GWINTER.NLM by specifying a long string where the server expects a variable setting. 

Requesting the following URL from the GroupWise server
http ://victimhost/cgi-bin/GW5/GWWEB.EXE?HELP=asdf
will return the error message:
revealing the full path of the GroupWise server software.
Note: The URL above may need to be tailored to the target system.

To read .htm files anywhere on the server, or to browse directories, use HELP and the ../ string to traverse directories, for example:
http ://victimhost/cgi-bin/GW5/GWWEB.EXE?HELP=../../../secret.htm
http ://victimhost/cgi-bin/GW5/GWWEB.EXE?HELP=../../../
Again, the paths shown above may need to be modified.

To abend GWINTER.NLM request a URL like:
http ://victimhost/cgi-bin/GW5/GWWEB.EXE?[512+ chars]
It may be possible to remotely execute arbitrary code via this buffer overflow.


- 漏洞信息

Novell GroupWise GWWEB.EXE HELP Parameter Traversal Arbitrary File Access
Remote / Network Access Input Manipulation
Loss of Confidentiality
Exploit Public

- 漏洞描述

Novell Groupwise contains a vulnerability that allows a remote attacker to read arbitrary files in the web path. The issue is due to a lack of sanity checking for input passed to the HELP variable in the GWWEB.EXE program. By providing a .htm or .html file name and ../../ traversal attack, anyone can view any document within the web server path.

- 时间线

1999-12-19 Unknow
1999-12-19 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

Unknown or Incomplete